Today we're going to talk about how to set up zero touch provisioning for your environment. So first off, what is zero touch provisioning? Zero touch provisioning is when a user sets up a computer themselves without any IT interaction.
The popular Jamf phrase is:
Open the box
Power on your MacBook
There is no step three
But how do we actually get there? Before we get started, I want to show you a video of what this looks like.
You've probably seen this in demos. Zero Touch is where a user opens up the computer for the first time, turns it on, and then goes through the setup assistant. They connect to Wi-Fi, and once they're connected, they see this remote management screen.
They may log in with their username and password from AD, then their user account is created automatically. They log in again to get to the home screen, and then they'll see this typical provisioning window where it will bring them through the installation of all the different components that they need in order to do their job.
Building Zero Touch
In a basic sense, that's what it looks like, but how does it work, and how do we get there? I'll say this a lot of times, its a common perception for people, when getting introduced to Jamf and MDM for the first time, that zero touch provisioning just happens. That once you purchase Jamf, you have zero touch. However that's like saying that if you bought a bunch of lumber and some nails and a hammer, that you have a house. It's a great first step in order to get there, but you really only just started on that project.
When we're talking about zero touch, this is really an intersection between three different things: user experience, security, and the simplicity of the workflow.
Zero touch takes all these components and makes sure that they intersect in the middle. It is an all or nothing thing. If you're 99% of the way there, you're not going to be able to drop ship a computer to a user and be assured that it's going to be set up exactly how they need it to be on day one. So, you need to make sure that you can get all those different teams working together to say, "Hey, how can we get a workflow that's going to work for our users?"
This will take compromises, a word many people are not fond of. For instance, with the user experience, if you want zero touch to be part of your workflow, you can't automate having the users log into all their different pieces of software. On the security side, we're going to need to make sure that the users are able to set up their computers remotely, and we have workflows in place that aren't going to require IT to interact with it ahead of time.
This takes a lot of work and a lot of discussion before we even getting started. Let's dive into what this process looks like. At the beginning of this process, we like to ask a lot of questions about a customer's environment. Once we've asked those questions, we then create a list to show all the things that the user needs on day one. We then look at that list and address any challenges that exist in that list, for example: what are going to be the hardest things to automate in that list. Lastly, we set up the provisioning workflow through Jamf Pro.
Questions to Ask
Here are some questions we typically ask people when they're setting up zero touch provisioning for the first time:
Do you have an ID provider like Okta, Azure AD, or any of the other popular ones?
Do you have a local AD server that you're connecting to?
Do you have different apps and configurations that you need for different users, or is everyone kind of getting the same configurations?
What do the users need?
Do you have a VPN that users are connecting to when they're working remotely?
Do you need users to connect to your office Wi-Fi?
If so, how are they currently connecting?
Do you need certificates?
Do you need to connect to a Cisco ICE server or another type of complex server?
What security requirements do you have?
What applications do your users need on day one?
First Day Experience
Lets start with the last question first. How do you want a users first day of with their new computers to be? Are they coming into the office to receive that Mac? Is their Mac being sent directly to their home? Will they be joining into a Zoom meeting for some type of orientation? Is there any type of official orientation that they're going to go through, or are they kind of on their own with getting things set up? Is there an external set of instructions that you want users to follow, or do you want all the instructions to be on screen? Are you 100% sure that all your computers are in the Apple Business Manager?
In order to truly setup zero touch provisioning, we need automated enrollment in place through Apple Business Manager, which can be a challenge if you're working with third-party resellers. You may need to work with your reseller a bit to ensure they put your Apple devices in Apple Business Manager immediately after you order them.
Creating a List
Now that you've asked a bunch of questions, you need to create a list of everything that you need. Moving forward I will be using an example of a zero touch provisioning we set up for one of our client. They specifically needed:
CrowdStrike for a security requirement
McAfee web proxy
Nomad for password synchronization with AD
FileVault encryption
A screen saver lock
Cisco AnyConnect to connect to their local VPN
Printers
Microsoft Office
A Wi-Fi profile to connect to their local network
A host of internal certificates to connect to different internal resources
Once we make that list, then it's time to address the challenges.
Addressing Challenges
Jamf Pro Integrations
Many of the challenges we face when setting up Zero-Touch Provisioning in Jamf Pro have to do with integrating different platforms with Jamf Pro. Part of this challenge for us, when we're working with clients, is we often don't have access to the services we are integrating with, and sometimes it's because those integrations don't natively exist and require custom workflows to be created.
Getting user information into Jamf Pro can be part of this challenge. This can be done through Single Sign-On and Cloud Identity Provider integration, but if that's not available, we may have to use LDAP Integration. Typically this is integrating with a local AD server, which can be a greater challenge because the security risks of integrating it with Jamf Cloud requires setting up Jamf Infrastructure Manager in the DMZ. This requires us to work with several teams to get this one integration setup.
Apple Business Manager is absolutely essential for organizations and, although the integration itself is pretty easy to setup, creating an Apple Business Manager account initially and ensuring your current devices are all in there can be a big challenge.
And there are many other integrations you might need, that have varying levels of complexity to setup, depending on your environment:
Device Compliance with InTune (or the legacy Conditional Access)
ADCS Connector (if you need machine or user certificates)
Cisco Identity Services Engine (ISE) Integration (which can pose an even greater challenge if you're using the MDM Compliance feature)
Automatically Grouping Devices
Another challenge that people typically face is automatically grouping your devices. So, if you imagine drop shipping a computer to a user and having them set up that computer themselves, you're going to need to make sure that they're in the right group so they get the right software.
One option is using Cloud Identity Provider or LDAP Integration (which is a challenge in and of itself, as mentioned before). With either of these, you can sort computers by building and department or any other attribute you can get from those resources. If you don't have either of those, or if both those servers aren't really organized that well, you can use the User Choice option. With this method, we have the user select which department they're in, and then they'll get software based on that selection. That's not always the greatest choice if we're doing zero touch because that opens the door to user error, but sometimes is the best way to get around all of these challenges.
Automating Each Component
The last challenge is automating each component. This is the work we love to do at Rocketman, and where we see the true power of Jamf Pro. This includes scripting, packaging, utilizing policies and configuration profiles, setting up the necessary smart groups, and, when necessary, utilizing the API to set up complex workflows.
Setting Up the Provisioning Workflow
Now we're finally ready to start the provisioning workflow. But before we get started, we like to ask some questions again. What order does everything need to run in? Does it require any user interaction during the process?
Here's an example of what the process looks like:
Onboarding policy runs the DEPNotify script and package as an enrollment trigger
CrowdStrike installs
Cisco AnyConnect installs
McAfee installs
Printers install
Microsoft Office installs
Wi-Fi profile installs
Onboarding Policy
The onboarding policy installs the DEPNotify package, some enrollment videos, and the company branding. It runs the script DEPNotify, which is utilized to run the custom triggers.
Additional Tools and Tips
Some additional tools that we like to use are DEPNotify, which is utilized to run the provisioning window. We also organize policies by the order of their running. This is one of those lesser-known things within Jamf Pro, but if you have a bunch of policies, it will run on the same trigger. If you have them categorized in a certain alphabetical order, they will run in that order. So, it's super important to have a naming convention for your policies.
Another great option is to have one base setup that you have for everyone, and that's your group. You don't have any specific groups with different applications. You let each team manage their applications. This works pretty well in a large enterprise device environments where you may have a lot of different departments with a lot of different needs, and instead of IT trying to control that, you allow the different teams to control the software that they need.
Lastly, pilot, improve, and test with each macOS version.
Overall, setting up zero touch provisioning takes a lot of work, but it's worth it for the user experience, security, and simplicity of the workflow.
Hello Chris & Hugo, Very curious, is the video available from Hugo's presentation
@ MacAdmins Conference? Thank You! ~Patrick